Accidental Technologist

Musings about Entrepreneurship, Technology and Software Development

  • Home
  • About
  • Still River Software
  • Privacy Policy

Powered by Genesis

You are here: Home / Ruby / Ruby Denial of Service (DoS) Vulnerability Options

Ruby Denial of Service (DoS) Vulnerability Options

June 10, 2009 by Rob Bazinet 2 Comments

Tweet

A potentially harmful vulnerability was found in all pre-Ruby 1.9.1 version of Ruby.  The issue was reported on the Ruby-lang web site and says it effects:

1.8 series

  • 1.8.6-p368 and all prior versions
  • 1.8.7-p160 and all prior versions

Ruby 1.9.1 does not suffer from this problem but seems apparent JRuby does have this issue and has been tested to prove it.

The Problem

The issue is pretty simple to reproduce.  BigDecimal, when asked to parse an overly large number, causes segmentation faults.  The following will reveal the problem:

BigDecimal("9E69999999").to_s("F")

Solutions

There are quite a few solutions to this problem and most involve patching an existing installation of Ruby.  The Ruby web site offers links to download Ruby source for both 1.8.6 and 1.8.7:

Please upgrade to 1.8.6-p369 or ruby-1.8.7-p173.

  • ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.6-p369.tar.gz
  • ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.7-p173.tar.gz

There are various things to consider when doing an update like this and building from source.  I am an Ubuntu user and installed Ruby with the aptitude package manager so I could easily update to a later version of Ruby when it was released.  The problem here is the package sources won?t be updated right away and I will be stuck with the vulnerability until new packages are created and put out.  I probably won?t be effected by this issue as I have not yet but I would rather be safe, especially for my customers.

Having used a package manager, Ruby is installed in:

/usr/bin

The options at this point is to download and build Ruby from source.  Building Ruby from the Ruby website will by default but Ruby in:

/usr/local/bin

I won?t get into installing Ruby from source here, there are many good tutorials including one from FiveRuns, Compiling Ruby, RubyGems and Rails on Ubuntu.  You can use this tutorial for either of your flavors of Ruby.  Keep in mind you may need to adjust the PATH setting in your bash script to point to the right Ruby instance.  The post above states Ubuntu already has this set already, a quick check of my PATH and it indeed has this set.

One additional option that seems particularly attractive is Ruby Enterprise Edition (REE) from Phusion, the Passenger folks.  This group keeps on top of Ruby updates and is constantly updating their code.  They posted the DoS vulnerability fix almost right away and offer the source download or an Ubuntu package for 32 and 64-bit.

This is the option I am taking.  I have been wanting to move to REE for some time and I think it now the right time.  REE does by default install to the:

/opt/ruby_enterprise

directory, so a change to the bash environment is necessary.  The Phusion site has some good docs on how to install and configure REE:

Then follow the instructions that the installer gives you.

1.6. Configuring REE as the default Ruby interpreter

It is possible to configure REE as the default Ruby interpreter, so that when you type ruby, gem, irb, rake or other Ruby commands, REE?s version is invoked instead of the system Ruby?s version.

To do this, you must add REE?s bin directory to the beginning of the PATH environment variable. This environment variable specifies the command shell?s command search path. For example, you can do this on the command-line:

$ ruby some_program.rb    # <--- some_program.rb is being run
#      in the system Ruby interpreter.
$ export PATH=/opt/ruby-enterprise-X.X.X/bin:$PATH
$ ruby some_program.rb    # <--- some_program.rb will now be run in REE!

Invoking export PATH=... on the command-line has no permanent effect: its effects disappear as soon as you exit the shell. To make the effect permanent, add an entry to the file/etc/environment instead. On Ubuntu Linux, /etc/environment looks like this:

PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games"
LANG="en_US.UTF-8"
LANGUAGE="en_US:en"

Add REE?s bin directory to the PATH environment variable, like this:

PATH="/opt/ruby-enterprise-x.x.x/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games"
LANG="en_US.UTF-8"
LANGUAGE="en_US:en"

This will give me both better memory usage and the added security of fixing BigDecimal.

This does effect Ruby on Rails and there is a patch to Rails as a quick workaround.

Conclusion

It is great to have options and open source gives us the ability to have many.  If building from source is the way to go then keep in mind all of the RubyGems already installed in the system(s) need to be installed again for that new version of Ruby.  This only applies if the Ruby path is changed to which Ruby is being used.

Technorati Tags: Ruby,Ruby Enterprise Edition,REE,JRuby,Rails,DoS Vulnerability

Share this:

  • LinkedIn
  • Twitter
  • Facebook
  • Email
  • More
  • Pinterest
  • Tumblr
  • Pocket
  • Reddit

Related

Filed Under: Ruby

Care about your privacy? I do and use Fathom Analytics on this site.

Fathom Analytics

Recent Posts

  • How to Fix Rails Flash Rendering When Using Hotwire
  • Hotwire Fix for CORS Error when using Omniauth
  • Fix Installation of Ruby using rbenv on macOS Big Sur
  • RailsConf 2021 and the Future of Conferences
  • Fixing Out of Diskspace Errors on Amazon EC2

Categories

Services I Love

HatchBox - Easy Rails Deploys Fathom Analytics
Follow @rbazinet

Rob Bazinet
@rbazinet

  • This is so true and has been my personal take on people complaining they are busy - https://t.co/YW8NTQLXtl
    about 3 days ago
  • Wow…https://t.co/h94ia053sL
    about 4 days ago
  • My Bills lost today but more importantly so did the Dallas Cowboys. Nice seeing the ‘boys done for the season.
    about 5 days ago
  • It looks like the Apple Xcode command line tools is a bit bloated for it to take this long… https://t.co/U0HObTvzXf
    about 2 months ago
  • How many people are mad that @elonmusk bought Twitter yet own or plan to own a Tesla? I bet many.
    about 2 months ago
  • RSS - Posts
  • RSS - Comments